TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE VULNERABILITIES & THREATS ENDPOINT SECURITY NEWS China's Silver Dragon Razes Governments in EU, SE Asia The emerging actor, part of the APT41 nexus, gains initial access via phishing, and uses legitimate network services to obscure cyberespionage activities. Elizabeth Montalbano,Contributing Writer March 4, 2026 4 Min Read SOURCE: NOEL BOARDMAN VIA ALAMY STOCK PHOTO A Chinese threat group acting as yet another spinoff of APT41 has been conducting cyber-espionage campaign against targets through phishing attacks that ultimately hijack system services for command-and-control (C2) and persistence, giving the group's activities a legitimate cover. Silver Dragon, tracked by researchers at Check Point Software, has been operating since at least mid-2024, according to a report published Tuesday. Its primary target is government entities in Southeast Asia and Europe, with cyber-espionage as its typical end game, the researchers said. Silver Dragon mainly uses existing servers and services to conduct its malicious activity, according to Check Point. The group gains its initial access by exploiting public-facing Internet servers and delivering phishing emails that contain malicious attachments. To maintain persistence, the group hijacks legitimate Windows services, allowing the malware it delivers to blend into normal system activity. Related:Indian APT 'Sloppy Lemming' Targets Defense, Critical Infrastructure Check Point linked the group to the powerful Chinese advanced persistent threat (APT) group APT41, and noted that even in its early days, it demonstrated sophistication that suggests it has staying power. "Throughout our analysis, we observed that the group continuously evolves its tooling and techniques, actively testing and deploying new capabilities across different campaigns," according to Check Point's post. "The use of diverse vulnerability exploits, custom loaders, and sophisticated file-based C2 communication reflects a well-resourced and adaptable threat group." 3 Silver Dragon Infection Chains Silver Dragon typically uses one of three infection chains to gain initial access to a targeted network, according to Check Point. The first two, AppDomain hijacking and Service DLL, show clear operational overlap, according to the report. "They are both delivered via compressed archives, suggesting their use in post‑exploitation scenarios," according to the report. "In several cases, these chains were deployed following the compromise of publicly exposed vulnerable servers." Moreover, both chains rely on the delivery of a RAR archive containing an installation batch script likely executed by the attackers, "which indicates a shared delivery mechanism," according to Check Point. The third initial-access strategy is via a phishing campaign with a malicious LNK file as an attachment, a tactic linked to Silver Dragon based on the use of similar loaders, which the researchers collectively call "BamboLoader." In one documented case, the attackers sent phishing lures to government entities in Uzbekistan that impersonated official correspondence and included weaponized LNK attachments. Related:Qualcomm Zero-Day Exploited in Targeted Android Attacks Once a system is breached, the group used a technique called Service DLL hijacking that allows malicious code to hide within legitimate Windows services, according to Check Point. In this way, the group aims to achieve long-term persistence without being detected by standard security software. Custom Hacking Tools of the Trade Malware delivered by Silver Dragon includes Cobalt Strike beacons to gain an early foothold on compromised hosts, and then a DNS tunneling tool for C2 in an effort to evade some network-level detection mechanisms, according to Check Point. Its latest attacks also deliver a new custom backdoor dubbed GearDoor, which hides behind Google Drive as its C2 channel "to enable covert communication and tasking over a trusted cloud service," according to Check Point. The group also has two other key custom tools in its arsenal: SSHcmd and SilverScreen. SSHcmd is a command-line utility designed to facilitate remote access and lateral movement within a compromised network. SilverScreen, meanwhile, is a surveillance tool specifically built to capture periodic screenshots of user activity, allowing the attackers to monitor sensitive data in real-time. Related:As War Continues, Pro-Iranian Actors Launch Barrage of Cyberattacks A Formidable Chinese Cyber Threat Emerges Check Point uncovered Silver Dragon's links to APT41 through "strong tradecraft similarities" in how it uses BamboLoader and post-exploitation installation scripts that align with the APT's tactics, according to the report. APT41 (aka Double Dragon, Barium, Winnti, Wicked Spider, and Wicked Panda) is an APT that has been tracked by security researchers since at least 2012 and is best known for espionage conducted on behalf of the Chinese government. The group even went so far as to impersonate a US lawmaker in its malicious activities during critical US-China trade engagements last year. APT41's members also have been known to conduct financially motivated activity. Silver Dragon is likely to follow more of a strategic espionage path rather than seek financial gain, but it is uniquely dangerous due to its use of legitimate system resources to hide its activities, according to Check Point. Organizations — particularly those in the public sector — should prioritize patching Internet-facing systems to avoid exploit of known vulnerabilities as part of their defense against the group,. They also should monitor for unauthorized modifications to Windows service configurations and look out for indicators of compromise (IoCs), which Check Point shared in the report. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE Autonomous, GenAI-Driven Attacker Platform Enters the Chat by Elizabeth Montalbano, Contributing Writer APR 07, 2025 THREAT INTELLIGENCE What CISA's Red Team Disarray Means for US Cyber Defenses by Becky Bracken, Senior Editor, Dark Reading MAR 21, 2025 Editor's Choice THREAT INTELLIGENCE As War Continues, Pro-Iranian Actors Launch Barrage of Cyberattacks byElizabeth Montalbano MAR 3, 2026 6 MIN READ ICS/OT SECURITY Vehicle Tire Pressure Sensors Enable Silent Tracking byJai Vijayan MAR 3, 2026 3 MIN READ СLOUD SECURITY AI Agent Overload: How to Solve the Workload Identity Crisis byAlexander Culafi MAR 3, 2026 4 MIN READ 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 5 Steps to Stop Ransomware With Zero Trust 10 Ways a Zero Trust Architecture Protects Against Ransomware Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This webs